The OpenEdge client fails to connect to a secure web server which has disabled the SSLv3 protocol

The OpenEdge client fails to connect to a secure server which has disabled the SSLv3 protocol.
The OpenEdge client is unable to connect via HTTPS after the SSLv3 protocol has been disabled on the server.
The OpenEdge Web Service client fails to connect to a secure Web Service which has disabled the SSLv3 protocol.
The OpenEdge Web Service client is unable to connect to a Web Service via HTTPS after the SSLv3 protocol has been disabled on the Web Service.
The OpenEdge ABL Socket client fails to connect to a web server which has disabled the SSLv3 protocol.
The OpenEdge ABL Socket client is unable to connect via HTTPS after the SSLv3 protocol has been disabled on the web server.

 

The SSLv3 protocol was disabled on the server due to the POODLE vulnerability.

In the case of Tomcat, the connector is configured similar to the following:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="C:\Apache\Tomcat 7.0\conf\.keystore" keystorePass="progress"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />

The ABL client can and will use TLSv1, but the issue lies in the version of the client connection's SSL Hello message. The ABL client will always, and is only capable of, sending a SSLv3 Hello message with the supported protocols being SSLv3 & TLSv1. If the server is running in strict mode it will reject/fail the SSLv3 Hello message and require only a TLSv1 Hello. If the server will accept a SSLv3 Hello message it will respond with selecting TLSv1 and the ABL client will upgrade the connection to use TLSv1.

Upgrade to OpenEdge 10.2B0848.
For further details, please reference the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 10.2B08".

Upgrade to OpenEdge 11.3.3.026.
For further details, please reference the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 11.3.3​".

Upgrade to OpenEdge 11.4.0.028.
For further details, please reference the whitepaper "Addressing the POODLE Vulnerability in Progress OpenEdge in 11.4.0.028HF".

Upgrade to OpenEdge 11.5.1 or later.
For further details, please reference the document "OpenEdge® Service Pack: New Information" which is available on the Service Pack download page or the whitepaper "Addressing POODLE vulnerability and SHA2 support in Progress OpenEdge 11.5.1".

Upgrade to OpenEdge 11.6.
For further details, please reference "OpenEdge Getting Started: Core Business Services - Security and Auditing, Chapter 2, Security in OpenEdge > SSL Security" in the OpenEdge 11.6 documentation set.

Configure the web server to support the SSLv3 Hello messages. In the case of Tomcat, enable the SSLv2Hello protocol which should allow both SSLv2 and SSLv3 hello messages, for example in Tomcat the connector would be configured as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="E:\Apache\Tomcat 7.0\conf\.keystore" keystorePass="progress"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" />

Please note that with some web servers it is also necessary to limit the ciphers being used due to the issue described in the following article: https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

For example when using the BIO connector for Tomcat it can be required to do this by setting the following connector properties:
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" 
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Progress Article(s):
 How does the POODLE vulnerability affect OpenEdge ?
000060465, What version of SSL / TLS does ABL client used when connecting to WebService?
 Secure Web Service connections from an OpenEdge client to a Microsoft IIS 6.0 web server on Windows 2003 fail
 Does OpenEdge 10.x or 11.x support SHA-2 signed certificates?